SonicWall SSL VPN devices have become the target of Akira ransomware attacks as part of a newfound surge in activity observed in late July 2025.
“In the intrusions reviewed, multiple pre-ransomware intrusions were observed within a short period of time, each involving VPN access through SonicWall SSL VPNs,” Arctic Wolf Labs researcher Julian Tuin said in a report.
The cybersecurity company suggested that the attacks could be exploiting an as-yet-undetermined security flaw in the appliances, meaning a zero-day flaw, given that some of the incidents affected fully-patched SonicWall devices. However, the possibility of credential-based attacks for initial access hasn’t been ruled out.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
The uptick in attacks involving SonicWall SSL VPNs was first registered on July 15, 2025, although Arctic Wolf said that it has observed similar malicious VPN logins as far back as October 2024, suggesting sustained efforts to target the devices.
“A short interval was observed between initial SSL VPN account access and ransomware encryption,” it said. “In contrast with legitimate VPN logins which typically originate from networks operated by broadband internet service providers, ransomware groups often use Virtual Private Server hosting for VPN authentication in compromised environments.”
Queries sent to SonicWall for further details on the activity did not elicit a response until the publishing of this article. As mitigations, organizations are advised to consider disabling the SonicWall SSL VPN service until a patch is made available and deployed, given the likelihood of a zero-day vulnerability.
Other best practices include enforcing multi-factor authentication (MFA) for remote access, deleting inactive or unused local firewall user accounts, and following password hygiene.
As of early 2024, Akira ransomware actors are estimated to have extorted approximately $42 million in illicit proceeds after targeting more than 250 victims. It first emerged in March 2023.
Statistics shared by Check Point show that Akira was the second most active group in the second quarter of 2025 after Qilin, claiming 143 victims during the time period.
“Akira ransomware maintains a special focus on Italy, with 10% of its victims from Italian companies compared to 3% in the general ecosystem,” the cybersecurity company said.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
Cursor AI Code Editor Fixed Flaw Allowing Attackers to Run Commands via Slack MCP